Re: AuthMeth issue summary

[Mark Wahl <M.Wahl@INNOSOFT.COM>]

One background item is that we are trying to provide interoperability
between LDAP users of SASL in advance of all of the SASL framework being 
completed as PS RFCs.  Some of your issues are more generic SASL discussion 
points.   In authmeth-04 as part of a compromise between some of the groups of
implementors / users of authorization IDs in LDAP, we provided a specification 
of authorization identities that allows for both DNs and arbitrary user 
identities. (RFC 2222 4. #5 states that a protocol defines how the authorization
identity is to be interpreted). I would hope that there would be a SASL work 
item at some point to more fully define how authorization identities can be 
used that is independent of the underlying protocol: e.g. I want to have a 
common authorization identity for a Web site accessed via HTTP, an IMAP store, 
an LDAP directory, etc.  Furthermore I would want to ensure that access control
systems which use authorization identities in implementations of each of 
the underlying protocols can make interoperable decisions, such as how to 
 - validate an authorization identity (e.g. identities with a expiry date)
 - compare two authorization identities for equality, 
 - map different kinds of real-world identities to authorization ids,
 - express containment, wildcards, role<->occupant and group<->member 
   relationships between authorization identities,
 - know whether an authorization identity is a capability and should be 
   protected as such etc
Once this is done by some SASL working group, then it would presumably 
update 2222 section 4 #5 so that the interpretation of authorization identity
is not purely a protocol-specific function, and then the next revisions to
the LDAPv3, IMAP, HTTP etc RFCs could move the protocol-specific identity 
information out into its own documents.


Mark Wahl, Directory Product Architect
Innosoft International, Inc.